Privacy policy

 

PRIVACY POLICY FOR DATA HUB

Thank you for visiting the Data Hub. At Volkswagen Group Info Services AG we take data protection very seriously.

We have drafted this Privacy Policy to inform you about how we collect, use, disclose and otherwise process Personal Data as well as about your rights under the GDPR. With this Privacy Policy, we inform you about the processing of your Personal Data when visiting our website, when registering for and using the Data Hub, and when communicating with us regarding the Data Hub. Please find the definitions of the capitalized terms used in this Privacy Policy in the Annex below.

1. For whom is this Privacy Policy?

This Privacy Policy covers our processing of Personal Data under applicable data protection laws and regulations with respect to our website and the Data Hub.

By making this Privacy Policy available to you, we comply with our information obligations. In certain cases, the information provided in this Privacy Policy is only applicable based on your location; where this is true, we will address which information is applicable to you expressly in the Privacy Policy. Please note that this Privacy Policy shall not confer upon you any rights or obligations that are not conferred upon you by applicable data protection laws and regulations.

2. Who are we and how can you contact us?

The Controller of your Personal Data is Volkswagen Group Info Services AG, Berliner Ring 2, 38440 Wolfsburg, Germany.

You may contact us via mail at volkswagen.group.data.business@cariad.technology with questions about this Privacy Policy, the processing of your Personal Data in general and to exercise your rights as a data subject as outlined below in section no. 8.

You can reach our data protection officer by mail at the aforementioned address, adding “Data Protection Officer” or by email at privacy@cariad.technology.

Please be informed, that when using the above email-address, not only the data protection officer might gain knowledge of your inquiry. If you want to contact the data protection officer in confidentiality, please send another mail upfront.

3. Where do we collect your data?

We collect your Personal Data when you just use the website (3.1) or when you are registered and logged in to the Data Hub (3.2 - 3.3), when you are registered and logged in to the Data Hub Sandbox (3.4), and when you contact us via email or when using the contact form on this website (3.5) and when you exercise your data subject rights (3.6).

3.1 Website (Visitor)

For visiting the website without logging in, we collect the necessary technical data to securely provide the website (see data categories below).

3.2 Data Hub (B2B Customer)

In order to register for and log in to the Data Hub, you have to use the Single-Sign-On solution ONE Business ID, which is provided by Volkswagen AG. To enter the Data Hub, the following alternatives are available:

  • You already have a One Business ID account from Volkswagen AG and you use these account data to log in to the Volkswagen Group Info Services AG Data Hub.

Or

  • You create your own Volkswagen AG One Business ID account at: https://onebusinessid.com/. Then you can log in to the Volkswagen Group Info Services AG Data Hub with this account data.

With regard to your creation, usage and management of ONE Business ID, Volkswagen AG acts as independent single controller under GDPR. You can find Volkswagen AG's ONE Business ID controller Privacy Policy here: https://onebusinessid.com/legal.

The Personal Data processed by Volkswagen Group Info Services AG falls into the following categories:

  • Identification details (should you contact us about the website or the Data Hub or register your company as a potential Data Provider or Customer), such as your first name and last name;
  • Necessary ONE Business ID login data from Volkswagen AG for a successful access to Volkswagen Group Info Services AG's Data Hub;
  • Data Provider registration details, i.e. data related to registration as a potential Data Provider, such as company name, country;
  • Website data, such as your IP address, the name of your internet service provider, the operating system and the browser you use as well as your browser language;
  • Location information, such as general location information (e.g. city/state and/or postal code associated with your IP address).
  • You are generally not required to provide your Personal Data to us. However, in order to enable and facilitate access to the website and features provided via the website, we require certain Personal Data (e.g. contact details if you contact us as we are otherwise unable to respond). Hence, if you do not provide such Personal Data, we might not be able to provide all features available via the website to you (e.g. contacting Volkswagen Group Info Services AG via the website). You cannot gain access and use the Data Hub without registration as a potential Data Provider or Customer.

3.3 Consent Portal (B2C Customers)

The Consent Portal (consent.drivesomethinggreater.com) is used to collect B2C customer's (Data Subject) consent for personalized data products offered by the Volkswagen Group Info Services AG. To access the Consent Portal the customer needs to be provided with a specific link from the B2B Partner of the Volkswagen Group Info Services AG.

Additional requirements for using the Volkswagen Group Info Services AG Consent Portal:

In order to register for and log into the Consent Portal, you have to use the Single-Sign-On solution VW ID, which is provided by Volkswagen AG. To enter the Consent Portal, the following alternatives are available:

  • You already have a VW ID account from Volkswagen AG and you use these account data to log into the Volkswagen Group Info Services AG Consent Portal.

Or

  • You create your own Volkswagen AG VW ID account at: https://vwid.vwgroup.io. Then you can log into the Volkswagen Group Info Services AG Consent Portal with this account data.

With regard to your creation, usage and management of VW ID, Volkswagen AG acts as independent single controller under GDPR. You can find Volkswagen AG's VW ID controller Privacy Policy here: https://vwid.vwgroup.io/data-privacy.

The Volkswagen Group Info Service AG uses the Volkswagen AG's VW ID as service for user identification and storage of the actual consent status related to Volkswagen Group Info Service AG personalized data products.

3.4 Data Hub Sandbox (B2B Customers)

The Data Hub Sandbox (sandbox.drivesomethinggreater.com) serves as a testing environment for our B2B partners, in order for you

  • to get to know the data products offered by Volkswagen Group Info Services AG.
  • to capture the character/user experience of the data APIs and formats of our data products

The data products provided in the sandbox include solely non-personal, synthetic test data.

To access the Sandbox the B2B customer receives an invitation via email upon request from the Volkswagen Group Info Services Sandbox Team.

The following information will be processed for the registration and use of the Data Hub Sandbox:

  • Contact details (such as your email address)
  • Identification details (such as your first name and last name)
  • Once logged in, your API requests, including user specific data (such as your username, user token, time of request)

3.5 Contact Us (contact form)

When you contact us (email or contact form), we will use the included information contact information (see below) to

  • help you with your inquiry
  • if necessary, forward the included information to the relevant bodies and
  • document a proper handling of your inquiry.

The following information will be processed:

  • Identification details (should you contact us about the website or the Data Hub or register your company as a potential Data Provider or Customer), such as your first name and last name;
  • Contact details (should you contact us about the website or the Data Hub or register your company as a potential Data Provider or Customer), such as your email address, phone number, fax number and address (among others ZIP code, city, state, country), job title;
  • Message details, i.e. data included in your messages sent to Volkswagen Group Info Services AG via the website or via email, such as the company you work for/on behalf of which you contact Volkswagen Group Info Services AG, country in which you are located, area of interest on which your message is based and the contents of your message;
  • Customer registration details, i.e. data related to registration as potential Customer, such as company name, country;

3.6. Fulfillment of data subject rights

When you exercise your data subject rights (see under 10.) the following data can be processed to fulfill your request:

  • Identification & authentication data as far as necessary (Art. 12 par.6 GDPR);
  • The data required to fulfill the requested data subject right (Art. 15 - Art. 21 GDPR);
  • Documentation of the process as necessary (Art. 5 par. 2 GDPR).

4. How do we process your Personal Data?

General

We process your Personal Data for the purposes set forth in the table below. With respect to some specific purposes of processing you will find additional information below the following table.

Purpose of processingPurpose of processing Legal basisLegitimate interest(s) (where relevant)Catogies of Personal Data
To provide the Website

§ 25(2) Nr. 2 TTDSG in conjunction with Art. 6(1) lit. f GDPR

To provide you a telemedia service and to present and develop our business.

Website data, location information
To provide a protected Website area (B2B Customers, B2C Customers and data subjects)

§ 25(2) Nr. 2 TTDSG in conjunction with Art. 6(1) lit. b / lit. f GDPR

Providing a protected website area accessible to B2B Customers, B2C Customers and data subjects only.

Identification details, contact details, registration details
To contact you and provide you with information, which you have requested

§ 25(2) Nr. 2 TTDSG in conjunction with Art. 6(1) lit. b / lit. f GDPR

Communicating with you upon your request.

Identification details, contat details, message details, Data Provider or Customer registration details
To detect disruptions and to ensure the security of the Website, the Data Hub and our systems, including the detection and tracing of (the attempt of) unauthorized access to our web servers

§ 25(2) Nr. 2 TTDSG in conjunction with Art. 6(1) lit. b / lit. f GDPR

Resolving disruptions and ensuring the security of the Website, the Data Hub and our systems.

Website and Data Hub activity data, location information, identification details
To enable corporate transactions (including sale of all or part of our asset(s) and/or activity(ies))

Art. 6(1) lit. f GDPR

We may have a legitimate interest in disclosing information to (potential) buyers or acquirers and their external counsels in certain scenarios.

Identification details, contact details, message details, supplier registration details, press distribution list details
To establish, exercise or defend legal claims

Art. 6(1) lit. f GDPR

We have a legitimate interest in the establishment, exercise and defense of legal claims.

Identification details, contact details, message details, Data Provider and Customer registration details, Website data, location information
To comply with legal obligations to which we are subject (e.g. deriving from tax law, or foreign trade law)

Art. 6(1) lit. c GDPR

German Abgabenordung (German Tax Code), German Handelsgesetzbuch (German Commercial Code), etc.

Identification details, contact details, message details, Data Provider registration details, Website data, location information
To carry out compliance investigations

Art. 6(1) lit. f GDPR

We have a legitimate interest in carrying out compliance investigations to safeguard that we comply with our legal obligations.

Identification details, contact details, message details, Data Provider registration details, Website data, location information
For any of the above listed purposes it might be necessary to transfer data to our Affiliates

Art. 6(1) lit. f GDPR

We, as part of the Volkswagen Group, have a legitimate interest in transferring your Personal Data within the group for internal administrative purposes.

The data categories correspond to those listed with respect to the revelant purpose for processing
To collect and record the B2C customer’s consent for personalized data products

Art. 6(1) lit. a / lit. f GDPR

Enabling data consumption of personalized data products for B2B Partners with the consent of the B2C customer.

Identification details, consent decision, consent timestamp, vehilce identification number

5. Log files

As indicated in the table above, we save website data including log files for the purpose of determining disruptions and ensuring security of the website, the Data Hub and our systems.

6. Cookies

Cookies not deleted by you will expire after the time span indicated in the Privacy Policy.

7. Who has access to your Personal Data (recipients of Personal Data)?

We may share your Personal Data with the following recipient(s) :

  • When using a personalized data product, we share your technical user identification ID and consent status with the legitimate data recipient of the specific data product. For more information of all our personalized data products please follow the provided link.

We may share your Personal Data with service providers that process Personal Data on our behalf and subject to our instructions as so-called Processors, for the purpose of providing their professional services to us:

  • IT service provider as data processor: CARIAD SE, Berliner Ring 2, 38440 Wolfsburg
  • B2C Customer consent status collection and storage is provided by Volkswagen AG
  • Separate controllership for running VW ID: Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg, VW ID Privacy Policy: https://vwid.vwgroup.io/data-privacy
  • Separate controllership for running ONE Business ID: Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg, ONE Business ID Privacy Policy: https://onebusinessid.com/legal.

We may share your Personal Data with the following third parties:

We may share your Personal Data with Affiliates for the purposes listed in section no. 4 above.

  • Other third parties:
  • State authorities (including tax authorities and law enforcement agencies) for the purpose of compliance with laws and regulations applicable to us
  • Consultants (lawyers and auditors) for the purpose of compliance with legal obligations, corporate transactions and safeguarding our rights
  • Courts for the purpose of safeguarding our rights
  • Potential buyers or acquirers of all or part of our asset(s) and/or activity(ies) for the purpose of corporate transactions

The legal bases relevant for the transfer of Personal Data to third parties can be found in section no. 4 above.

8. Do we transfer your data internationally (third country transfers)?

We process your Personal Data exclusively within the European Economic Area and do not transfer it to third countries.

9. How long do we store your data?

General

Your Personal Data will generally only be stored until they are no longer necessary in relation to the purposes for which they were collected (or otherwise processed).

As an exception, Personal Data may be stored longer where their processing is necessary for compliance with a legal obligation - including compliance with statutory retention periods - to which we are subject or for the establishment, exercise or defense of legal claims.

Cookies

Cookies not deleted by you will expire after the time span indicated in our Cookie Policy.

10. What rights do you have with respect to your Personal Data?

You have the following rights under the GDPR provided that the legal requirements are met:

i. Right of access. You may request information about the processing of your Personal Data and a copy of the Personal Data undergoing processing insofar as such copy does not adversely affect the rights and freedoms of others.

ii. Right to rectification. You may request correction of your Personal Data that is inaccurate and/or completion of such data which are incomplete.

iii. Right to erasure. You may request deletion of your Personal Data, in particular where (i) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, (ii) you objected to the processing and there are no overriding legitimate interests for the processing, (iii) your Personal Data has been unlawfully processed or (iv) your Personal Data has to be erased for compliance with a legal obligation to which we are subject. The right to deletion, however, does not apply in particular where the processing of your Personal Data is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims.

iv. Restriction of processing. You may request restriction of processing (i) for the period in which we verify the accuracy of your Personal Data if you contested its accuracy, (ii) where the processing is unlawful and you request restriction of processing instead of deletion of the data, (iii) where we no longer need the Personal Data, but you require the data for the establishment, exercise or defense of legal claims or (iv) if you objected to processing until it has been verified whether our legitimate grounds override your interests, rights and freedoms.

v. Right to data portability. You may request to receive your Personal Data, which you have provided to us, in a structured, commonly used machine-readable format and transmit those data to another controller without hindrance from us, where the processing is based on consent or a contract and the processing is carried out by automated means; in these cases you may also request to have the Personal Data transmitted directly to another controller where this is technically feasible.

vi. Right to withdraw consent. You may withdraw your consent at any time for the future where processing is based on your consent, without affecting the lawfulness of processing based on consent before its withdrawal.

vii. Right to object. You have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data which is based on our or a third party’s legitimate interests.

We then will no longer process your Personal Data for the purpose to which you have objected unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Where we process your Personal Data for direct marketing purposes based on our or a third party’s legitimate interests, you have the right to object at any time to the processing of your Personal Data for such direct marketing. We then will no longer process your Personal Data for direct marketing purposes.

viii. Right to lodge a complaint. You may lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of an alleged infringement if you consider that the processing of your Personal Data infringes the GDPR.

A list of the European supervisory authorities can be found here.

In Wolfsburg, where Volkswagen Group Info Services AG is headquartered, the competent supervisory authority is: Die Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstrasse 5, 30159 Hannover, poststelle@lf.niedersachsen.de.

Please address your requests to exercise your rights to privacy@cariad.technology (with the exception of the right to lodge a complaint with a supervisory authority).

11. No automated decision-making

In the context of this website no automated decision-making takes place.

12. Changes to this Privacy Policy

We reserve the right to amend or modify this Privacy Policy at any time to ensure compliance with applicable laws. Please check regularly whether this Privacy Policy has been updated.

This Privacy Policy has been updated last in September 2023.

13. Annex definitions

The terms and expressions in capital letters used in this Privacy Policy have the meanings set forth below. Additionally, the definitions included in Art. 4 of the GDPR shall apply.

“Affiliate” shall mean any entity which is directly or indirectly controlled by Volkswagen AG. ‘Control’ means direct or indirect ownership or domination of more than 50% of the voting interest of the respective entity.

“Controller”, “we”, “us”, “our” shall mean Volkswagen Group Info Services AG which is the controller of your Personal Data according to section no. 2 in the Policy.

“Data Hub” shall mean the website (drivesomethinggreater.com) provided by Volkswagen Group Info Services AG which:

  • publicly informs about the company Volkswagen Group Info Services AG and its data products;
  • enables a log in area for B2B customers to acquire licenses for the use of specific data sets;
  • provides contact information about Volkswagen Group Info Services AG;
  • enables B2B customers to access the Volkswagen Group Info Services AG Data Hub Sandbox for testing purposes;
  • allows B2C Customers (data subjects) to consent to personalized data products;
  • enables Volkswagen Group Info Services AG to fulfill GDPR data subjects rights

“EEA” shall mean European Economic Area.

“EU” shall mean European Union.

“GDPR” shall mean the General Data Protection Regulation (Regulation (EU) 2016/679).

“Personal Data” shall mean any information relating to an identified or directly or indirectly identifiable living individual.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

“Volkswagen Group” means the Volkswagen Aktiengesellschaft, and its affilitated companies, Berliner Ring 2, 38440 Wolfsburg, Germany.

PRIVACY POLICY FOR OUR PROJECT PARTNERS

1. Controller

This privacy policy informs you about the processing of your personal data by Volkswagen Group Info Services AG, Berliner Ring 2, 38440 Wolfsburg, within the scope of our project partners.

You can reach our data protection officer by post with the addition - data protection officer - or by e-mail at privacy@cariad.technology .

2. Collection and processing of personal data

a) Purpose

Volkswagen Group Info Services AG processes personal data to carry out and manage the contractual relationship existing or in the process of being established with the respective project partner.

In this context, personal data from you as the owner, a manager or an employee of one of our project partners are processed within the scope of various processing activities for different purposes and on different applicable legal basis. Below we provide you with an overview of the purposes of our processing activities:

  • tendering of services and materials - sending out enquiries, requesting outstanding offers, commercial review and completeness check of offers, conducting negotiations.
  • order processing (material, services. equipment) - write, place, send and track orders in the system.
  • supplier and service provider support - communication regarding the products or services, answering enquiries or requirements, bottleneck and risk management.
  • procurement controlling - turnover figures for suppliers or for item numbers.
  • market analysis - e.g. preparation of market analyses, trade fair presence, internet presence, etc.
  • project implementation - e.g. communication within the project team, creation and management of user accounts, assignment of delivery results
  • fulfilment of statutory duties - Adherence to retention obligations, ensuring compliance requirements through audit activities (e.g. sanctions list audit, money laundering) , operation of an internal control system (ICS) and other monitoring systems to ensure the regularity of business processes

The personal data that you as the owner, as a manager or as an employee of a project partner company make available the Volkswagen Group Info Services AG depends on the necessity in connection with the specific activity or the role of the project partner company to successfully perform with Volkswagen Group Info Services AG.

b) Data categories

For this purpose, Volkswagen Group Info Services AG processes the following personal data from you:

  • Professional contact and (work) organizational data;
  • IT usage data;
  • Data on personal/professional circumstances & characteristics;
  • Creditworthiness and bank data;
  • Contract data.

c) Legal basis

The processing of the above categories of data is based on the following legal grounds:

  • Art. 6(1) lit. a GDPR - consent for one or more specific purposes.
  • Article 6(1) lit. b GDPR - fulfilment of the contract or initiation of the contract directly with you as the data subject, e.g. if you are a natural person as a project partner of Volkswagen Group Info Services AG.
  • Article 6(1) lit. c GDPR - fulfilment of legal obligations (e.g. commercial code, tax code).
  • Article 6(1) lit. f GDPR - legitimate interests, e.g. if you are an employee of a project partner of Volkswagen Group Info Services AG.

d) Recipient categories

In certain cases, your personal data may also be disclosed to other group companies as data controllers or processors:

  • data processors of Volkswagen Group Info Services AG according to Art. 28 GDPR (e.g. cloud service providers, collaboration platforms, support companies).
  • third parties, if a legal obligation obliges us to disclose your personal data to comply with national legislation, e.g. transfer to tax authorities, courts, auditors.
  • other project partners as third parties, if the transfer of personal data of one project partner is necessary for the successful cooperation with another project partner and/or if it is necessary for the achievement of the project.

e) Transfer to third countries

Actually we do not transfer personal data to countries outside the European Union or European Economic Area. If we transfer personal data to affiliated companies or service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection, if other appropriate and sufficient data protection guarantees (e.g. EU standard data protection clauses) are concluded or if Art 49 Par 1 GDPR allows us such a transfer.

f) Storage period

As a matter of principle, we delete your personal data as soon as they are no longer required for the above-mentioned purposes.

Your personal data will be stored as long as we are legally obliged to do so or as long as statutory limitation periods apply. In addition, storage takes place insofar as further legal or contractual storage obligations exist or Volkswagen Group Info Services AG has a justified interest in storing the personal data, such as in connection with product liability or liability from contract. We delete your personal data as soon as they are no longer required for the above-mentioned purposes and there are no longer any legal or contractual obligations to retain them (e.g. Commercial Code, Fiscal Code).

In addition, personal data shall be retained for the period during which claims can be asserted against Volkswagen Group Info Services AG (statutory limitation periods).

g) Provision of the data is required

The personal data that you, as the owner, a manager or an employee of a project partner company make available to Volkswagen Group Info Services AG depends on the necessity in connection with the specific activity or the role of the project partner company to successfully perform with Volkswagen Group Info Services AG.

The personal data which are required to carry out the cooperation have to be provided. Without this provision, no proper cooperation between Volkswagen Group Info Services AG and the project partner company can take place.

3. Your rights

In addition to the right to information about the data concerning you and correction of your data, you also have the right to deletion as well as the right to object to the processing or the right to restrict the processing of your data, insofar as this does not conflict with any statutory regulations. Furthermore, you have the right to data portability.

If we collect and process your personal data based on your consent, you also have the right to revoke the consent you have given with effect for the future.

Where necessary, we will need to verify your identity before we can process your particular request.

If, despite our efforts to ensure that the data is correct and up to date, incorrect information is stored, we will correct this after being notified accordingly.

In the event of complaints, there is the possibility of contacting a data protection supervisory authority.

4. Automated decision making

There are no automated decision-making processes pursuant to Art. 22 Para. 1, 4 DSGVO.

5. Data security

Your data is protected by Volkswagen Group Info Services AG by technical and organizational security measures in order to prevent accidental or intentional manipulation, loss, destruction or access by unauthorized individuals.

Our security measures, such as data encryption, are regularly improved in line with technological developments.

Status: November 2022